feat: support OAuth token revocation during unlink or account delete (sahat#1546)

Add best-effort OAuth token revocation (RFC 7009-style and provider-specific variants) when users unlink an OAuth provider or delete their account, to reduce lingering third-party access.

- Introduces a token revocation helper (config/token-revocation.js) and a provider revocation registry (providerRevocationConfig) in config/passport.js.
-- The providerRevocationConfig is in config/passport.js to keep them in the same file as other provider specific OAuth related config/meta data.
- Hooks revocation into /account/unlink/:provider and /account/delete flows.
- Adds unit tests covering multiple revocation auth-method variants and documents the new helper in README.

Author: YasharF

README.md

@@ -79,6 +79,7 @@ I also tried to make it as **generic** and **reusable** as possible to cover mos
   - Verify Email
   - **Two-Factor Authentication (2FA)** Email codes and Authenticator apps
   - Link multiple OAuth provider accounts to one account
+  - OAuth token revocation
   - Delete Account
 - Contact Form (powered by SMTP via Mailgun, AWS SES, etc.)
 - File upload
@@ -555,6 +556,7 @@ The metadata for Open Graph is only set up for the home page (`home.pug`). Updat
 | **config**/morgan.js             | Configuration for request logging with morgan.                       |
 | **config**/nodemailer.js         | Configuration and helper function for sending email with nodemailer. |
 | **config**/passport.js           | Passport Local and OAuth strategies, plus login middleware.          |
+| **config**/token-revocation.js   | Helper for revoking OAuth tokens.                                    |
 | **controllers**/ai.js            | Controller for /ai route and all ai examples and boilerplates.       |
 | **controllers**/api.js           | Controller for /api route and all api examples.                      |
 | **controllers**/contact.js       | Controller for contact form.                                         |

config/passport.js

@@ -841,6 +841,77 @@ const discordStrategyConfig = new OAuth2Strategy(
 passport.use('discord', discordStrategyConfig);
 refresh.use('discord', discordStrategyConfig);
 
+/**
+ * Token Revocation Config
+ *
+ * Providers with a revocation endpoint. Used by config/token-revocation.js
+ * to revoke tokens on unlink or account deletion.
+ *
+ * authMethod values:
+ *   'body'           – client_id + client_secret + token in form-encoded body
+ *   'basic'          – HTTP Basic auth (client_id:client_secret) + token in form body
+ *   'token_only'     – only the token in form-encoded body
+ *   'client_id_only' – client_id + token in body (no client_secret)
+ *   'json_body'      – JSON body with token, client_id, client_secret
+ *   'trakt'          – JSON body + trakt-api-key / trakt-api-version headers
+ *   'facebook'       – HTTP DELETE with access_token as query param
+ *   'github'         – HTTP DELETE with Basic auth + JSON body
+ *   'oauth1'         – OAuth 1.0a signed POST (needs consumerKey/consumerSecret)
+ */
+const providerRevocationConfig = {
+  google: {
+    revokeURL: 'https://oauth2.googleapis.com/revoke',
+    authMethod: 'token_only',
+  },
+  facebook: {
+    revokeURL: 'https://graph.facebook.com/me/permissions',
+    authMethod: 'facebook',
+  },
+  github: {
+    revokeURL: `https://api.github.com/applications/${process.env.GITHUB_ID}/token`,
+    clientId: process.env.GITHUB_ID,
+    clientSecret: process.env.GITHUB_SECRET,
+    authMethod: 'github',
+  },
+  x: {
+    revokeURL: 'https://api.x.com/1.1/oauth/invalidate_token',
+    consumerKey: process.env.X_KEY,
+    consumerSecret: process.env.X_SECRET,
+    authMethod: 'oauth1',
+  },
+  linkedin: {
+    revokeURL: 'https://www.linkedin.com/oauth/v2/revoke',
+    clientId: process.env.LINKEDIN_ID,
+    clientSecret: process.env.LINKEDIN_SECRET,
+    authMethod: 'body',
+  },
+  discord: {
+    revokeURL: 'https://discord.com/api/oauth2/token/revoke',
+    clientId: process.env.DISCORD_CLIENT_ID,
+    clientSecret: process.env.DISCORD_CLIENT_SECRET,
+    authMethod: 'body',
+  },
+  twitch: {
+    revokeURL: 'https://id.twitch.tv/oauth2/revoke',
+    clientId: process.env.TWITCH_CLIENT_ID,
+    authMethod: 'client_id_only',
+  },
+  trakt: {
+    revokeURL: 'https://api.trakt.tv/oauth/revoke',
+    clientId: process.env.TRAKT_ID,
+    clientSecret: process.env.TRAKT_SECRET,
+    authMethod: 'trakt',
+  },
+  quickbooks: {
+    revokeURL: 'https://developer.api.intuit.com/v2/oauth2/tokens/revoke',
+    clientId: process.env.QUICKBOOKS_CLIENT_ID,
+    clientSecret: process.env.QUICKBOOKS_CLIENT_SECRET,
+    authMethod: 'basic',
+  },
+};
+
+exports.providerRevocationConfig = providerRevocationConfig;
+
 /**
  * Login Required middleware.
  */

config/token-revocation.js

@@ -0,0 +1,149 @@
+const crypto = require('node:crypto');
+const { providerRevocationConfig } = require('./passport');
+
+function generateOAuth1Header(method, url, consumerKey, consumerSecret, token, tokenSecret) {
+  const nonce = crypto.randomBytes(16).toString('hex');
+  const timestamp = Math.floor(Date.now() / 1000).toString();
+  const params = {
+    oauth_consumer_key: consumerKey,
+    oauth_nonce: nonce,
+    oauth_signature_method: 'HMAC-SHA1',
+    oauth_timestamp: timestamp,
+    oauth_token: token,
+    oauth_version: '1.0',
+  };
+  const paramStr = Object.keys(params)
+    .sort()
+    .map((k) => `${encodeURIComponent(k)}=${encodeURIComponent(params[k])}`)
+    .join('&');
+  const baseStr = `${method.toUpperCase()}&${encodeURIComponent(url)}&${encodeURIComponent(paramStr)}`;
+  const signingKey = `${encodeURIComponent(consumerSecret)}&${encodeURIComponent(tokenSecret || '')}`;
+  const signature = crypto.createHmac('sha1', signingKey).update(baseStr).digest('base64');
+  params.oauth_signature = signature;
+  return `OAuth ${Object.keys(params)
+    .sort()
+    .map((k) => `${encodeURIComponent(k)}="${encodeURIComponent(params[k])}"`)
+    .join(', ')}`;
+}
+
+const REQUIRED_FIELDS = {
+  basic: ['clientId', 'clientSecret'],
+  body: ['clientId', 'clientSecret'],
+  json_body: ['clientId', 'clientSecret'],
+  trakt: ['clientId', 'clientSecret'],
+  client_id_only: ['clientId'],
+  github: ['clientId', 'clientSecret'],
+  oauth1: ['consumerKey', 'consumerSecret'],
+  token_only: [],
+  facebook: [],
+};
+
+const REVOKE_TIMEOUT_MS = 8000;
+
+async function revokeToken(revokeURL, token, tokenTypeHint, config, tokenSecret) {
+  let timeout;
+  try {
+    const required = REQUIRED_FIELDS[config.authMethod];
+    if (required) {
+      const missing = required.filter((f) => !config[f]);
+      if (missing.length > 0) {
+        console.warn(`Token revocation: skipping ${config.authMethod} — missing config: ${missing.join(', ')}`);
+        return false;
+      }
+    }
+    const controller = new AbortController();
+    timeout = setTimeout(() => controller.abort(), REVOKE_TIMEOUT_MS);
+    const headers = {};
+    let body;
+    let method = 'POST';
+    let finalURL = revokeURL;
+    switch (config.authMethod) {
+      case 'basic': {
+        const credentials = Buffer.from(`${config.clientId}:${config.clientSecret}`).toString('base64');
+        headers.Authorization = `Basic ${credentials}`;
+        headers['Content-Type'] = 'application/x-www-form-urlencoded';
+        body = new URLSearchParams({ token, token_type_hint: tokenTypeHint });
+        break;
+      }
+      case 'body': {
+        headers['Content-Type'] = 'application/x-www-form-urlencoded';
+        body = new URLSearchParams({ token, token_type_hint: tokenTypeHint, client_id: config.clientId, client_secret: config.clientSecret });
+        break;
+      }
+      case 'token_only': {
+        headers['Content-Type'] = 'application/x-www-form-urlencoded';
+        body = new URLSearchParams({ token });
+        break;
+      }
+      case 'client_id_only': {
+        headers['Content-Type'] = 'application/x-www-form-urlencoded';
+        body = new URLSearchParams({ token, client_id: config.clientId });
+        break;
+      }
+      case 'json_body': {
+        headers['Content-Type'] = 'application/json';
+        body = JSON.stringify({ token, client_id: config.clientId, client_secret: config.clientSecret });
+        break;
+      }
+      case 'trakt': {
+        headers['Content-Type'] = 'application/json';
+        headers['trakt-api-key'] = config.clientId;
+        headers['trakt-api-version'] = '2';
+        body = JSON.stringify({ token, client_id: config.clientId, client_secret: config.clientSecret });
+        break;
+      }
+      case 'facebook': {
+        method = 'DELETE';
+        finalURL = `${revokeURL}?access_token=${encodeURIComponent(token)}`;
+        break;
+      }
+      case 'github': {
+        method = 'DELETE';
+        const creds = Buffer.from(`${config.clientId}:${config.clientSecret}`).toString('base64');
+        headers.Authorization = `Basic ${creds}`;
+        headers.Accept = 'application/vnd.github+json';
+        headers['X-GitHub-Api-Version'] = '2022-11-28';
+        headers['Content-Type'] = 'application/json';
+        body = JSON.stringify({ access_token: token });
+        break;
+      }
+      case 'oauth1': {
+        headers.Authorization = generateOAuth1Header('POST', revokeURL, config.consumerKey, config.consumerSecret, token, tokenSecret);
+        break;
+      }
+      default:
+        console.warn(`Token revocation: unknown authMethod '${config.authMethod}'`);
+        return false;
+    }
+    const response = await fetch(finalURL, { method, headers, body, signal: controller.signal });
+    if (response.ok) return true;
+    console.warn(`Token revocation: ${revokeURL} responded with HTTP ${response.status}`);
+    return false;
+  } catch (err) {
+    console.warn(`Token revocation: request to ${revokeURL} failed — ${err.message}`);
+    return false;
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+
+async function revokeProviderTokens(providerName, tokenData) {
+  const config = providerRevocationConfig[providerName];
+  if (!config || !tokenData) return;
+  const tasks = [];
+  if (tokenData.refreshToken) {
+    tasks.push(revokeToken(config.revokeURL, tokenData.refreshToken, 'refresh_token', config, tokenData.tokenSecret));
+  }
+  if (tokenData.accessToken) {
+    tasks.push(revokeToken(config.revokeURL, tokenData.accessToken, 'access_token', config, tokenData.tokenSecret));
+  }
+  await Promise.allSettled(tasks);
+}
+
+async function revokeAllProviderTokens(tokens) {
+  if (!tokens || tokens.length === 0) return;
+  const tasks = tokens.filter((t) => providerRevocationConfig[t.kind]).map((t) => revokeProviderTokens(t.kind, t));
+  await Promise.allSettled(tasks);
+}
+
+module.exports = { revokeProviderTokens, revokeAllProviderTokens };

controllers/user.js

@@ -7,6 +7,7 @@ const User = require('../models/User');
 const Session = require('../models/Session');
 const nodemailerConfig = require('../config/nodemailer');
 const aiAgentController = require('./ai-agent');
+const { revokeProviderTokens, revokeAllProviderTokens } = require('../config/token-revocation');
 
 /**
  * GET /login
@@ -396,6 +397,8 @@ exports.postUpdatePassword = async (req, res, next) => {
 exports.postDeleteAccount = async (req, res, next) => {
   try {
     const userId = req.user.id;
+    // Best-effort: revoke OAuth tokens at provider endpoints before deleting
+    await revokeAllProviderTokens(req.user.tokens);
     await aiAgentController.deleteUserAIAgentData(userId); // Delete user's AI agent chat history
     await User.deleteOne({ _id: userId });
     req.logout((err) => {
@@ -421,6 +424,7 @@ exports.getOauthUnlink = async (req, res, next) => {
     provider = validator.escape(provider);
     const user = await User.findById(req.user.id);
     user[provider.toLowerCase()] = undefined;
+    const tokenToRevoke = user.tokens.find((token) => token.kind === provider.toLowerCase());
     const tokensWithoutProviderToUnlink = user.tokens.filter((token) => token.kind !== provider.toLowerCase());
 
     // Remove provider's picture entry
@@ -457,6 +461,9 @@ exports.getOauthUnlink = async (req, res, next) => {
       });
       return res.redirect('/account');
     }
+
+    // Best-effort: revoke the OAuth token at the provider's endpoint before unlinking
+    await revokeProviderTokens(provider.toLowerCase(), tokenToRevoke);
     user.tokens = tokensWithoutProviderToUnlink;
     await user.save();
     req.flash('info', {